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Cross-Reference To Related Application 

[0001] This application claims priority to and the benefit of, and incorporates herein by 
reference, in its entirety, U.S. provisional patent application Serial Number 60/402,255, filed 
August 9, 2002. 

Field of the Invention 

[0002] The invention relates generally to computer networks and more specifically to 
network performance data collection/conversion and filtering for intrusion detection. 

Background of the Invention 

[0003] An organization's local area networks (LANs) typically communicate with a wide 
area network (WAN), such as the Internet. Such connections to WANs, which are typically 
outside the enterprise, leave the LANs vulnerable to intrusion attack. 

[0004] An Intrusion Detection System (IDS) allows detection of an actual or attempted 
unauthorized access into an organization's computer network. Even though existing IDSs are 
very useful in intrusion detection, they generally suffer firom false positives (i.e. generating an 
alert when there is really none) and false negatives (i.e. failing to generate an alert even though 
an intrusion is underway). In addition, IDS systems frequently do not provide capability for 
forensic analysis once an attack is detected. 

[0005] Intrusion attacks typically originate from outside an organizations network, in that 
they are directed into an organization's network via its "connection" to the outside world - which 
is typically the WAN interface. However, since existing IDSs are typically located on a LAN, 
the IDS typically sees a mixture of internal traffic, which is generally safe, and external traffic, 
which potentially contains intrusion attacks. Due to IDS limitations, there are circumstances 
when benign, internal traffic can sometimes be wrongly interpreted by an IDS to be an intrusion 
attack, thereby resulting in a false positive. 
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[0006] IDSs have to process a large amount of traffic in order to uncover intrusion attacks. 
However, due to performance limitations, they are likely to drop some traffic. There is a 
reasonable probability that this "dropped traffic" contains valuable, intrusion-related information 
that would have caused the IDS to issue an alert. Hence, due performance limitations, an IDS 
could potentially generate a false negative even while an intrusion is underway. 

[0007] Existing IDSs are primarily focused in flagging attacks. Some IDSs provide event 
logs that give a limited historical view of the events that triggered an alert. 

Summary of the Invention 

[0008] The present invention provides a system and method for detecting network intrusions 
while minimizing the number of false detections and missed detections. The context of the 
network traffic is preserved during a detected intrusion, thereby facilitating further tracing and 
analysis. 

[0009] If an IDS generates large amount of false positives and/or negatives, user confidence 
in the IDS will be low. Hence, there is a need to reduce the number of false positives/negatives 
that an IDS generates. In addition, intruders are innovative and are always attempting new 
schemes to outwit IDSs. Hence, it is important that a security analyst be provided with additional 
data points that can improve interpretation of events flagged by the IDS and can provide 
information that will allow an analyst to uncover intrusions that the IDS would otherwise fail to 
detect. Hence, there is a need to supplement existing IDSs in several ways. 

[0010] The utility of existing IDSs can be improved by combining the IDSs with certain 
functionality, which can be provided by Network Performance Probes now used for the 
management and monitoring of networks. Network Performance Probes - such as the 
NETSCOUT NGENIUS family of Probes - are available for monitoring many different network 
topologies (both LAN and WAN) and provide information such as statistics related to protocols, 
hosts, and conversations, response time measurements, QoS-monitoring, historical trending of 
network traffic, and so on. By making use of already-existing probe features and by adding new 
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functionality specific to intrusion detection, the combination of an enhanced network probe and 
an IDS will result in a greatly improved intrusion detection system. 

[0011] In one implementation, IDS functionality is added to an existing network probe. The 
probe converts WAN traffic into an Ethemet format traffic that an existing IDS can monitor. 
Including the IDS-support functionality within the probe enables an IDS to see only WAN traffic. 
Hence, false positives arising from wrongly interpreting (benign) LAN traffic are eliminated. 
Furthermore, WANs are generally slower than LANs; so the IDS is now exposed to a reduced 
amount of traffic. False negatives resulting from performance shortcomings of an IDS are 
therefore minimized. 

[0012] In general, in one aspect, the invention relates to a network performance probe 
configured to forward packets monitored on a network link to an IDS. The network performance 
probe monitors a first network link using a first network interface. This first network link can be 
any type of network link, so long as the probe is capable of monitoring it. Some network 
performance probes can be configured to monitor many different types of network links, for 
example HSSI, Tl/El, ATM, Frame-DS3, Packet-over-Sonet/SDH, lOG Ethemet, and 
encapsulated traffic such as MPLS, VLANs (e.g., 802. Iq) etc. In one preferred embodiment, the 
first network link is the part of the network associated with a WAN or aggregated LAN links (for 
example those used in "trunking" applications). This LANAVAN link is fi-equently a desirable 
location for network performance monitoring and is also typically a useful point for intrusion 
detection. 

[0013] In addition to communicating with the first network link, the network performance 
probe also communicates with a second network link via a second network interface. In a 
preferred embodiment, an IDS is installed on the second network link. In one such embodiment, 
the second network link is a LAN, so that a commercially available IDS configured for 
communication over a LAN can be used in combination with the network performance probe. 

[0014] The network performance probe converts packets monitored on the first network link 
into a format suitable for the second network link. The probe transmits the converted packets 
over the second network link, thereby allowing the packets to be monitored by an IDS in 
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communication with the second network Unk. The conversion process includes storing received 
packets in a collection buffer, stripping header (and optionally checksum) information associated 
with a protocol of the first network link, and adding header (and optionally checksum) 
information associated with a protocol of the second network link. The conversion process is 
user-configurable. For example, the user can specify that no conversion needs to be done for 
frames that have either MPLS or VLAN tags. 

[0015] In some embodiments, the probe can aggregate packets from additional network links 
(in addition to the first network link), for example, from a third and/or fourth network link and so 
on, so that the probe relays packets monitored on the first and the additional network link(s) over 
the second network link. This allows the combined packets from two or more network links to 
be monitored by the IDS. This is also particularly useful for network links which are 
implemented with multiple network connections. For example, if a link is formed of two 
network coimections between point A and point B, the two network connections can be 
monitored and aggregated by the probe and the packets made available for intrusion detection. 
Likewise, three or more links can be aggregated. 

[0016] In general, the probe can function in concert with the IDS while continuing to engage 
in network performance analysis functions. The intrusion detection functionality is provided 
without significant degradation in the operation of the probe. In one embodiment, this is 
accomplished by the addition of hardware to the probe, in the form of a plug-in card, referred to 
as the "Network Security Adapter," which operates in parallel with network performance 
hardware. This plug-in card can take the place of a network interface card which the probe may 
already be configured to accept. 

[0017] In some embodiments, the probe also includes a filter, which fihers packets on the 
first network link (and, if present, additional aggregated network links) before relaying the 
packets to the IDS via the second network link. The probe can be configured to filter packets 
that are not likely to be useful for intrasion detection. Management information, for example, 
can be filtered out if it will not be used by the IDS. As a specific example, if the first network 
(and any optional additional network links) is an ATM network, control or management traffic 
data such as F4 0AM Cells, F5 0AM Cells, Flow Control (e.g., RM Cell), UNI 3.x, and UNI 4.0 
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signaling frames will be automatically be filtered. This will reduce the amount of traffic that an 
IDS has to process, thereby further reducing the likelihood of false negatives. 

[0018] In one implementation, the probe maintains an audit trail buffer, also referred to as a 
log, of network traffic. This audit trail buffer stores network traffic (either filtered or unfiltered) 
for a predetermined amount of traffic or time interval. Newer traffic replaces old, such that the 
buffer always contains a record of recent network traffic. Upon request, for example upon the 
detection of an intrusion event, the probe can provide the log contents to the IDS or other tool for 
use in forensic analysis. Optionally, the audit trail buffer can be directed to an external 
permanent storage media in an appropriate format (file system) so that a 24x7 Network 
Surveillance and Correlation can be performed. In this mode, the Network Security Adaptor 
(described above) operates as a Network Flow Director since it converts and directs the incoming 
traffic flow (that is being monitored) into an external permanent storage media. Once the 
information is externally stored, the user can replay the data at an given point in time (in the past) 
to correlate Intrusion Attacks or any other event that would be interesting to a Network 
Administrator. The stored data will be saved in appropriate file formats so that the replay can 
done either using existing Network Management Applications (such as NETSCOUT's nGenius 
Performance Manager) or by using application-specific replay devices. For example, if the 
stored traffic contain Voice-over-IP traffic, then an external Application (Voice-over-IP Media 
Player) can be used to replay the audio/video portion of the traffic that is stored on the permanent 
storage media. 

[0019] The invention also generally relates to a system for enhanced intrusion detection that 
includes a probe implementing features described above. The probe includes a first network 
interface for monitoring packets communicated over the first network link, a second network 
interface for communicating over the second network link, and additional interfaces, as 
necessary, for any optional additional network links. The probe includes a packet converter for 
converting the monitored data packets into a format suitable for the second network link. 

[0020] Other aspects and advantages of the present invention will become apparent from the 
following detailed description, taken in conjunction with the accompanying drawings, illustrating 
the principles of the invention by way of example only. 
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Brief Description of the Drawings 

[0021] The foregoing and other objects, features, and advantages of the present invention, as 
well as the invention itself, will be more fully understood from the following description of 
various embodiments, when read together with the accompanying drawings, in which: 

• FIG. 1 a graphical presentation of a probe in communication with an IDS system 
device in accordance with an embodiment of the invention; 

• FIG. 2 is a block diagram of a probe in accordance with an embodiment of the 
invention; 

• FIG. 3 is a flowchart that depicts the operation of a probe in accordance with an 
embodiment of the invention; 

• FIG. 4 is a block diagram of a converter module and filter module of FIG. 2 in 
accordance with an embodiment of the invention; 

• FIG. 5 is a flowchart that depicts a method of probe operation in accordance with an 
embodiment of the invention; 

• FIG. 6A is a graphical representation of an ATM frame in accordance with an 
embodiment of the invention; and 

• FIG. 6B is a graphical representation of a converted frame of FIG. 6 A in accordance 
with an embodiment of the invention. 

Detailed Description 

[0022] As shown in the drawings for the purposes of illustration, the invention may be 
embodied in a system and method for network intrusion detection that receive, convert, and filter 
data packets. The data packets are monitored to ascertain network performance. Performance 
outside of expected norms can be indicative of an intrusion, and a system according to the 
invention preserves the associated network traffic and context for further analysis. 

[0023] With reference to the exemplary embodiment illustrated in FIG. 1, a WAN 10 is in 
communication over a LAN/WAN link 1 5 with a gateway 20 that connects one or more LAN 
segments 30. The WAN 10 can be a public or private wide area network, and in one 
embodiment the WAN 10 is part of or connected to the Internet. The LAN/WAN link 15, for 
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example, can include (but is not limited to) network topologies such as HSSI, Tl/El, ATM, 
Frame-DS3, Packet-over-Sonet/SDH, lOG Ethernet, ATM/POS OC-192, and encapsulated traffic 
such as MPLS. The gateway 20 can be a firewall or a router, for example, or some combination. 
The gateway 20 can route packets between networks 10, 30, as shown, or can in other 
embodiments connect to other gateways, firewalls, routers, and so on that provide connectivity 
and security among various networks. 

[0024] A probe 40 is installed on the LAN/WAN link 15. The probe is preferably a network 
performance probe, such as the NETSCOUT NGENIUS probe, but the probe can be any sort of 
device that can perform the capabilities described herein. The probe 40 monitors network traffic 
on the LAN/WAN link 1 5 flowing to and from the gateway 20. Data captured by the probe is 
typically used to monitor the status and performance of the network. The probe collects pertinent 
information from monitored packets (which are also referred to as frames) and collates this 
information into tables commonly called a Management Information Base (MIB). For example, 
the probe 40 can capture data related specified by the industry standard IETF RMONl MIB 
(IETF RFC 1757) and RM0N2 MIB (IETF RFC 2021) as well as special MIBs (e.g. those design 
to track Application Response Time Measurements, QoS Measurements). The probe 40 allows 
the MIB information to be retrieved by an application that has the authorization to do so. A 
typical probe, for example, will receive a packet and take certain actions, which actions could 
depend on the characteristics of the packet. A probe will typically collect statistics relevant to 
low and higher network layers. At a low level, for example, the data link layer, the probe might 
collect statistics about the utilization about the monitored network link, identify the source and 
destination of the packet, capture the packet and copy into a buffer for detailed analysis. The 
probe might also parse the packet to identify the network and application layer protocols 
embedded in the packet, and collect the relevant network layer addresses to identify the original 
source and ultimate destination for the packet. The type of operations that the probe performs 
can depend on the information the system operator would like to obtain from the probe. 

[0025] In one implementation, the probe 40 is a real-time, embedded system having one or 
more processors. The internal architecture is based on the Intel 80x86 architecture and as such 
using PCI-X/PCI-class bus for internal, peripheral communications. The processor(s) are Intel- 
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class CPUs such as the Intel Xeon/Celeron/Pentium running at 1 GHz or faster speeds. The 
probe 40 also includes memory - both cache memory and DRAM. The processor executes a 
real-time operating system and controls the functionality of the probe described below. 

[0026] A probe can contain one or more appropriate network interface cards (NICs) to make 
it suitable for a specific network topology. Each NIC can provide an interface to one or more 
network links. There can be multiple NICs in a system. For example, if multiple LANAVAN 
links are monitored by a single probe 40, a NIC for each LAN/WAN link may be connected to or 
otherwise integrated into the motherboard. Other links (e.g., LAN, WAN) can also have 
associated network interface cards. Each NIC card communicates data to and from the processor 
via one of the data busses on the motherboard. 

[0027] In addition to capturing and analyzing network traffic, the probe 40 translates the data 
monitored on the LANAVAN link 1 5 into a format that is usable by an IDS 50. After translation, 
data monitored by the probe 40 is forwarded to an IDS 50 over the second network 45. Such 
monitored data, in some implementations, can be filtered and processed before communication to 
the IDS 50. For example, the IDS 50 may be configured to only receive data in standard Ethemet 
format (e.g. according to a format specified in IEEE 802.3). As such, the probe 40 translates the 
data fi-om the LANAVAN link format into the Ethemet format. After the probe 40 converts the 
data, additional filtering of the data can be performed. The filtering can remove management and 
other network traffic that is not useful to the IDS in determining whether or not an intrusion 
attack is underway. 

[0028] The IDS 50 can be any sort of intrusion detection system. Typically, such a system 50 
is a software application program running on a server-class computer with an operating system 
such as Windows NT or Linux. The IDS 50 could alternatively be a special purpose device, or a 
combination of hardware and software. Commercially available IDS systems 50 typically have a 
limited number of networks on which they are capable of running, and many are only configured 
to run on Ethemet-type networks. Although this is not a limitation on the invention, the system 
and method described here are particularly well suited for IDS solutions in which the 
manufacturer has focused on the software logic capabilities of the IDS 50, and not on providing 



hardware-based capabilities. The capabilities of the probe 40 and the IDS 50 are especially 
compatible in such cases. 

[0029] The second network 45 can be any sort of network, and typically will be designed as 
the type of network on which the IDS 50 will perform most efficiently. For example, if the IDS 
50 is only configured to operate on Ethernet, the second network 45 can be an Ethernet network. 
The second network 45 can be a link only between the probe 40 and the IDS 50, and this will 
allow for the full use of the network bandwidth for the purposes described here. The probe 40 
and the IDS 50 can use the second network for commxmication other than the relaying of network 
traffic. Optionally, there can be another network link (not shown) that connects the probe 40 and 
the IDS 50 so that they can commimicate other information. For example, the IDS 50 can request 
the audit trail buffer contents, and receive the buffer data, over the second network 45 or over 
another network link, if present. Likewise, the IDS 50 can receive MIB data over the second 
network 45, or over another network link, if present. 

{0030] The IDS 50 processes the communicated data to determine whether or not an 
intrusion attack is underway. By incorporating translation and filtering functionality into the 
probe 40, the accuracy of intrusion determination is significantly increased, because the probe is 
designed to capture and process the data flowing to and from the gateway 20. The IDS 50, which 
may not be otherwise capable of monitoring at such an advantageous network point (e.g., the 
LANAVAN link) or separating management traffic from other traffic, can take advantage of the 
probe's placement in the network and of the probe's filtering capabilities. 

[0031] In one implementation, the IDS can make use of network performance information 
that is collected by the probe. Knowledge of the traffic profile, i.e. network statistics relating to 
protocols, hosts, and conversations, server & client response times, network Quality-of-Service 
conditions, historical traffic profile, and even actual packet traces, provide additional data points 
for a security analysts in their endeavor to detect intrusion attacks. For example, if the IDS 
monitors a network parameter, it can determine when that parameter is outside of a normal, or 
expected range. Just as one illustrative example, if the number of "pings" on Mondays between 4 
and 4:15 PM is typically around 50 +/- 10, a reading of 200 pings might be indicative of an 
intruder. Likewise, other information-gathering requests could be indicative of an attempted 
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intrusion. A probe typically can be configured to record the number, duration, and amount of 
network traffic, and can categorize the traffic by protocols, hosts, and conversations, as well as 
other information specified in the various MIBs. This information can be made available to the 
IDS, and can be the basis for predetermined or user-specified alerts or action by the IDS. 

[0032] With reference to FIG. 2, in one embodiment, a probe 55 includes hardware and 
related software to provide the functionality described in more detail below. More specifically, 
the probe 40 includes a packet converter module 60. The converter module 60 receives 
LANAVAN or trunked LAN/WAN traffic. The converter module 60 aggregates the received 
traffic when trunked traffic is received. Aggregation refers to combining traffic fi:om the various 
LAN/WAN links such that it appears as though the traffic is coming firom a single logical point. 

[0033] As described above, the probe 55 can include a plurality of NIC cards each connected 
to a respective LAN/WAN link. Traffic received by each NIC is stored in a local memory 
location of the probe in the form of a linked list. The converter module 60 converts the 
LAN/WAN traffic such that it appears to be LAN traffic. This conversion is described in fiirther 
detail below. Packets firom multiple networks can, optionally, be aggregated. 

[0034] A filter module 70 is in communication with the converter module 60 and receives the 
converted traffic. The filter module 70 filters the converted traffic to remove traffic that may not 
be usefiil to an IDS 50 in determining an intrusion attack. Each packet is reviewed, and if it 
meets certain predetermined criteria, is not forwarded (i.e., filtered). For example, management 
traffic may be filtered by a set of pre-defined or user-specified filters. In one embodiment, the 
filter module is a software module. The processor of the probe 55 executes the filter module 70 
to perform the filtering process. 

[0035] An audit trail buffer 80 is in conununication with the filter module 70 and receives 
the filtered network traffic. (In other embodiments, not shown, the audit trail buffer stores 
unfiltered traffic.) The audit trail buffer 80 stores the filtered data to provide an expansive record 
of the converted traffic. As individual fi'ames of network traffic are converted and filtered, they 
are forwarded to the IDS 50 for analysis. When the IDS 50 detects a possible intrusion attack, 
the event can be communicated to the probe 55, and the traffic stored in the audit trail buffer 80 
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can be forwarded to the IDS 50 or other system for further forensic analysis. In one embodiment, 
the audit trail buffer is an allocated portion of RAM memory of the probe 40, The size of the 
audit trail buffer 80 also can be programmable by a user, and is typically between 64 kbytes and 1 
Gigabyte. 

[0036] In one embodiment, the contents of the Audit Trail buffer may be fed to an external, 
permanent storage media so that continuous, 24x7 Network surveillance can be performed. This 
externally stored data can then analyzed or replayed to fiirther examine Network Activity for a 
specific time frame in the past. Analysis can be done using existing Applications such as 
NetScout's nGenius Performance Manager. In addition, if the stored data contains multi-media 
traffic (e.g., based on Voice-over-IP Protocols), then an external Media Player could be used to 
extract the relevant information from the stored data and replay the audio/video portion of the 
traffic. This would provide additional supplementary information that would be very useful for 
Network Surveillance - especially if the Voice-over-IP (VoIP) components of the Network are 
being compromised. Using an internal state machine algorithm, the Probe can automatically 
track all the currently used VoIP Protocols such as H.323, MGCP, SIP, RTP, RTCP, etc., and 
enhance the quality of information that is externally saved if the traffic-type is VoIP. For 
example, besides storing the AudioA^ideo portion of the traffic, other pertinent information such 
as Phone Numbers, Phone Numbering Plan, IP address, QoS (Quality of Service) parameters, 
Call Duration, Call Connect and End times, etc will also be encoded in the traffic that is directed 
to an external Storage Media. 

[0037] A traffic analyzer module 90 is in communication with the audit trail buffer 80 and 
receives the filtered and converted network traffic. The traffic analyzer module 90 calculates 
network performance statistics related to the filtered and converted traffic. The calculated results 
can be forwarded to, for example, an NGENIUS network management client (NMS). In one 
embodiment, the traffic analyzer module 90 is a software module that is executed by the 
processor of the probe 55. 

[0038] A performance analyzer module 100 also receives the traffic on the first network and, 
in turn, gathers performance information for the first network. These results can be stored in a 
management information base (MIB), such as the RMONl MIB, RM0N2 MIB, NetScout's 
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Universal Response Time MIB and VoIP MIB, and the Mini-RMONl MIB, and also can be 
forwarded, for example, to a network management client and/or to an IDS. In one embodiment, 
the performance analyzer module 100 is a software module that is executed by the processor of 
the probe 55. 

[0039] Although the above functionality is described with reference to specific hardware and 
software in general, the fimctionality can be implemented in various ways. With reference to 
FIG. 3, in one embodiment, a network device, such as a probe, receives traffic from a first 
network, such as a LAN/WAN link, or from trunked WAN traffic. If trunked traffic is received, 
the traffic is aggregated, that is, combined such that it appears to emanate from a single logical 
source (STEP 100). Optionally, the first network traffic can be analyzed (STEP 1 10) to 
determine status and performance. The received traffic is converted from the received format 
into a second network format (STEP 120). For example, various portions of a frame can be 
removed and new portions added as replacements to, for example, format the frame for a LAN 
instead of a LAN/WAN link. 

[0040] The converted data is then filtered (STEP 130). The filtering step is optional and may 
not be necessary in all implementations. Various filtering techniques can be used, for example, 
pre-defined software and hardware filters that remove network management traffic can be used. 
In addition, user-defmed (or programmable) software and hardware filters can be used to remove 
traffic from specific users and or network locations. Typically, the data that is filtered is selected 
for filtering because it is not usefiil to an IDS and therefore is removed to increase the 
performance and accuracy of intrusion detection, 

[0041] The filtered data can be stored, for example, in an audit trail buffer, as described 
above. The filtered data is also forwarded to the IDS system (STEP 150) for analysis. 
Optionally, the filtered data can be analyzed to determine the performance of the network link 
connecting the probe and the IDS (STEP 160). 

[0042] With reference to FIG. 4, an embodiment of the converter module 60 includes a 
collection buffer module 1 1 0. The collection buffer module 110 receives the traffic from each 
interface, and stores the data. In one embodiment, the collection buffer module 110 uses the 
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local RAM memory of the probe to store the data. The received traffic is stored as linked lists, 
with each linked list associated with a network interface. If trunked traffic is received from 
multiple interfaces, for example, traffic from each link is stored in a respective link list. For 
example, if the probe is connected to three separate LAN/WAN links, the collection buffer 
maintains three separate link lists of received traffic, one for each respective LANAVAN link. 

[0043] The converter 60 also includes a stripper module 120 in communication with the 
collection buffer module 110. The stripper module 120 receives network traffic from the 
collection buffer module 110, The stripper module removes headers originating with the first 
network (e.g., the WAN header), and removes an encapsulation header if necessary. In one 
embodiment, the stripper module 120 is a software module that is executed by the processor of 
the probe 55. The stripper module 120 sequentially accesses the link list(s) in the collection 
buffer 110. In general, one packet from each link is processed at a time. In other embodiments, 
for example with multiple processors, multiple packets can be processed in parallel. 

[0044] The converter further includes an adder module 130 in communication with the 
stripper module 120. The adder module 130 receives the stripped frames from the stripper 
module 120 and converts them into traffic suitable for the second network link. For example, the 
adder 130 can prepend the stripped LAN/WAN traffic with pseudo-MAC headers associated with 
Ethernet. The headers are referred to as pseudo-MAC headers because the source and destination 
MAC address are predetermined. In one embodiment, the Ethernet conversion module 130 is 
implemented in software and executed by the processor of the probe. The Ethernet conversion 
module 1 30 processes one packet at a time. In other embodiments, multiple packets can be 
processed in parallel. 

[0045] The filter module 70 can include pre-defined filters 140 and, optionally, a set of user- 
defined filters 150. The filters can utilize predefined sets of criteria to determine whether a 
packet should be forwarded. For example, the pre-defined filters 140 can be configured to filter 
traffic that is not useful to the IDS 50 in diagnosing an intrusion attack. For example, 
management network traffic may be filtered out by the pre-defined filters 140. More specifically, 
for ATM traffic, F4 0AM, F5 0AM, Flow Control (e.g. RM Cell), UNI 3.x and UNI 4.0 frames 
can be filtered. User-defined filters 150 can remove additional traffic. These filters can be 
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designed by a system operator to remove, for example, a particular type of packet, or traffic from 
a specific Internet site or user. The filtered traffic can be stored in the audit trail buffer 90, as 
described above. In one implementation, the pre-defined filters 140 are software modules that 
are executed by the processor of the probe, and the user-defined filters 150 are implemented as 
the same or as a different software module executed by the processor of the probe. 

[0046] Although the above functionality is described with reference to particular hardware 
and software, the functionality can be implemented in various ways. With reference to FIG. 5, in 
general, traffic received from a first network link (e.g., the LAN/WAN link and/or aggregated 
links described above) is collected (STEP 170), This can take place in the collection buffer 
described above or in other data storage. After collection, certain aspects associated with the first 
network link are removed (STEP 1 80). For example, if ATM frames are received, the WAN 
headers are removed from the individual frames. Subsequently, aspects associated with a second 
network link are added to the stripped frames for communication over the second network link 
(STEP 190). For example, LAN headers and/or checksums can be added. 

[0047] After conversion to the format for the second network, the traffic can be filtered by a 
set of pre-defined filters (STEP 200). The pre-defined filters function can remove traffic not of 
interest to the IDS system. For example, in an ATM WAN, F4 0AM, F5 0AM, Flow Control 
(e.g. RM Cell), UNI 3.x and UNI 4.0 frames, PNNI vl.x frames, and encapsulation-specific 
control frames can be filtered. Optionally, a set of user-defined filters can be iised to remove 
additional traffic (STEP 210). These filters can be progranmied by a system user. Once filtered 
packets are removed, the data is' stored (STEP 140), for example, in an audit trail buffer, as 
described above. 

[0048] With reference to FIGS. 6A and 6B, in an illustrative example, the first network is a 
WAN 10 that incorporates an ATM topology utilizing LAN Emulation (LANE) 1.x 
encapsulation. The second network link is a 100 Base-T Ethernet LAN. The probe 40 monitors 
the first network, and performs segmentation-assembly-reassembly (SAR) to convert ATM cells 
into frames. Each frame is stored the collection buffer 1 10 prior to conversion to Ethernet 
format. A typical frame is shown in FIG. 6A. The frame includes a LANE header 200, a Native 
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Ethernet Destination Address 201, a Native Ethernet Source Address 202, the Ethertype 203, data 
payload 204 and a Cyclic Redundancy Check (CRC32) 205. 



[0049] After collection, each frame stored in the collection buffer 1 10 is stripped of the 
WAN header and also the encapsulation header, if necessary. The WAN header format depends 
on the underlying physical media and the encapsulation used; therefore, depending on 
configuration, the probe can remove the header elements accordingly. After removing the LANE 
header 200, the Native Ethernet Destination Address 201, and the Native Ethernet Source 
Address 202, the probe prepends the frame with a pseudo-MAC header. For example, an 
inbound frame can be prepended with a predetermined destination MAC address 210, such as, 
00-80-8c-55-55-55 and a predetermined source address 211, such as, 00-80-8c-AA-AA-AA. An 
outbound frame can be prepended with the opposite source 21 1 and destination 210 address. In 
this way, the packets on the link will appear to be communicated between two nodes. 
Additionally, a new checksum 215 is calculated. 

[0050] Note that because FIGS. 1 through 5 are block diagrams, the enumerated items £ire 
shown as individual elements. In actual implementations of the invention, however, they may be 
inseparable components of other electronic devices such as a digital computer. Thus, actions 
described above may be implemented in software that may be embodied in an article of 
manufacture that includes a program storage medium. The program storage medium includes 
data signals embodied in one or more of a carrier wave, a computer disk (magnetic, or optical 
(e.g., CD or DVD), or both), non-volatile memory, tape, a system memory, and a computer hard 
drive. 

[0051] From the foregoing, it will be appreciated that the system and method of detecting 
network intrusions afford a simple and effective way to monitor network performance and 
integrity. Embodiments of the invention are able to interact seamlessly with the network, sense 
network conditions, ascertain network performance, and identify instances of potential intrusion. 
A system and method according to the invention minimizes instances of over- and under- 
detection, thereby increasing efficiency and accuracy. 
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[0052] One skilled in the art will realize the invention may be embodied in other specific 
forms without departing from the spirit or essential characteristics thereof. The foregoing 
embodiments are therefore to be considered in all respects illustrative rather than limiting of the 
invention described herein. Scope of the invention is thus indicated by the appended claims, 
rather than by the foregoing description, and all changes that come within the meaning and range 
of equivalency of the claims are therefore intended to be embraced therein. 

[0053] What is claimed is: 
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